Ok, this was a painful learning process, so listen up and listen well:
It took me a few hours to figure this all out. Google is not your friend,
and the world wide web is more like a net with weights on it, pulling you
under water. It's non-intuitive, and after you know it, it's super easy to
remember.
What would happen if my motherboard died and I needed to swap my encrypted
hard drive into a new laptop and I lost my TPM?
Now that it's figured out, it only takes ... 2 boots and half a dozen
trivial steps (what's that, 2-3 minutes altogether?) ... to get everything
working well again on new hardware.
I love the TPM. I love BitLocker. I'm really truly impressed.
Ideally, you know you're about to replace your motherboard, or mess around
with your boot sector or partition tables or something like that. In other
words, ideally you know you're about to break your TPM. Go to Control Panel
/ Bitlocker. Suspend bitlocker on your C: drive. This does not decrypt
your drive, but saves either the TPM root keys, or the BitLocker keys (I'm
not sure which) in plain-text on the drive where the startup process knows
to find them, so you're able to boot up, without the assistance of the TPM.
Most likely, you're not so lucky. The motherboard died or something like
that. You're forced to swap your encrypted hard drive into a new laptop, so
you've unfortunately lost your TPM root keys, and you did not suspend
BitLocker before this happened. No worries. See below.
You *must* have saved your BitLocker Recovery Key to someplace outside of
your computer before losing your TPM, or you *must* have suspended BitLocker
before losing your TPM. That's very important. Otherwise, you would be
boned. If your computer is part of an AD domain, your administrator may
have automatically saved the Recovery Keys in AD via Group Policy.
1. In your new laptop BIOS, enable and clear TPM. This ensures you will
not be "inheriting" root keys from somebody else who knows those keys. It
also ensures you know the TPM password, because now it's blank. It also
ensures nobody else knows the TPM password, because you're about to set it
with random bits.
2. Upon bootup, if you weren't able to suspend BitLocker before, you'll be
required to enter the BitLocker Recovery Key (48 digits all-numeric) you
saved earlier to a txt file.
3. Go to Control Panel / BitLocker
a. If you haven't already, now is the time to suspend bitlocker on C:.
This does not decrypt your drive, but saves either the TPM root keys, or the
BitLocker keys (I'm not sure which) in plain-text on the drive where the
startup process knows to find it, so you're able to boot up, without the
assistance of the TPM.
b. You cannot "resume" bitlocker until after TPM is initialized
c. From within the BitLocker control panel, click on "TPM Administration."
d. Initialize. (Requires reboot) The TPM hardware-generates a new TPM
root key.
4. Windows boots up again
a. You are forced to save the TPM password to a file. Unless you will be
doing more TPM work later, like creating a PIN or stuff like that, this is
pointless because you are always safe (even clearing the TPM) as long as you
have the BitLocker key. And no matter what you do, you are not safe unless
you *do* have the BitLocker key. So really, truly, you need to save the
BitLocker key, and it is pointless to save the TPM password. So just save
it to your desktop, and then delete it, and empty the trash.
b. This completes the TPM initialization process.
c. Once again, go to Control Panel / BitLocker
i. Resume Protection.
Note: This is a near-instant operation. It does not rekey your whole hard
drive. I therefore logically conclude that BitLocker only uses the TPM root
key to unlock a small file on disk which stores the actual BitLocker key.
Since a new TPM root key was generated randomly, when you "resume"
protection on the C: drive, BitLocker only needs to re-encrypt a very small
file.
ii. That's it. You're all done.
There are two major things I'm testing. (a) prove that I'm able to do
complete system backup & recovery with daily incrementals efficiently on
bitlocker, because that would be necessary if my hard drive failed, and (b)
ensure I am able to remove a drive from a computer, insert it into another
computer, and either boot from it, or access it as an external drive,
because that would be necessary if my laptop died.
I haven't tested (a) yet, but I'm doing it a few minutes from now, and I'm
very confident.
(b) was hard. Here's the thing to learn:
If you're using AD and want to deploy for an organization, start here and be
prepared to read a lot:
http://technet.microsoft.com/en-us/library/cc731549(WS.10).aspx
You can automatically have BitLocker Recovery Keys saved in AD.
You can set policy to prohibit users from saving their own bitlocker keys...
You can enable policy for bitlocker keys to load from USB instead of TPM,
etc.
But for the most basic setup, suppose there is no AD, and you just have a
single laptop. When you enable bitlocker on a drive, you'll be prompted to
save your BitLocker Recovery Keys to a txt file. Save it someplace good and
secure.
You will also be forced to initialize your TPM. This requires reboot,
during which, the TPM will hash your OS boot blocks, and the TPM will
hardware-generate a new root key that it keeps secret inside itself. It is
read-only, if your OS boot block hashes never change. And no matter what,
you cannot write keys to it. (That's important. Because the root keys were
hardware generated and you cannot enter them yourself later, it's impossible
to backup or restore your TPM root keys. But they have a clever solution to
this. See below.)
_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
